Right. The reason it works fine is because mozldap uses moznss for
crypto - you are using a build of openldap that uses openssl for
crypto. You will need to either rebuild openldap to use moznss for
crypto, or extract your CA certificates from /path/to/ldap_certdb to pem file(s) and use those files instead of using
the cert/key db.

I know there’s
no problem with LDAP certificate store /path/to/ldap_certdb
because a simple LDAP client test program written in Mozilla
LDAP C-SDK worked fine connecting to this same AD server,
over SSL.

I need to know
if I am using the correct OpenLDAP client API calls.

Yes, but it looks like you are using
OpenLDAP built with openssl, not Mozilla NSS. If your
OpenLDAP is provided by some vendor, and you cannot
change/rebuild with moznss support, you'll have to export the
CA certificate(s) from the /path/to/ldap_certdb and pass them
to OpenLDAP with either a single file and LDAP_OPT_X_TLS_CACERTFILE or an
openssl style ca cert dir with LDAP_OPT_X_TLS_CACERTDIR.